I am wanting to use SCCM primarily for maintenance windows to deploy security updates to our internal and dmz servers. What is the best way in setting this up cost effectively? One server should be sufficient as we do not have more than 1000 servers. I would like to place the server on the internal network and open up the relevant ports so the DMZ servers can communicate with it. The SCCM server will solely be used for deploying windows patches, there is no plan to deploy software or use any of the other features. I'd be grateful for any advice, thanks.

Hi, For DMZ I normally have a primary site server in the DMZ configured as a child site to my "internal" central site server. You will be able to service DMZ clients from an internal site server, it does however require that you open the ports specified in this article - http://technet.microsoft.com/en-us/library/bb632618.aspxKent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products

Thanks, it is possible to have one server on the internal lan and open ports so the dmz clients can communicate with it, isn't it? If I went with your suggestion of putting a primary site server in the DMZ would this require it's own SQL installation and WSUS installation? thanks.

Hi, 1) Yes it is possible 2) Yes a primary site will require a SQL and WSUSKent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products

Thanks again, What are the drawbacks of option 1? and what ports would be needed to implement this?

So the Central site server and the primary site child server will each have their own SCCM db, and both have their own individual WSUS db? What are the pro' and con's for both scenarios please? thanks.

Ports are described here - http://technet.microsoft.com/en-us/library/bb632618.aspx Pros for having two seperate sites are that only site servers communincate with each other, makes it more firewall friendly.Kent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products

Cheers, how would a dedicated central site server work in a DMZ? Will it work? there is no Active Directory provision in the DMZ. Could do with the pro's and con's of scenario 1 as well please. thanks.

Hi, ConfigMgr requires AD, so it will not work in the DMZ if there is no AD.Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund